EU-US Privacy Shield annual review: privacy watchdog could issue separate report

The Article 29 Working Party said its decision to publish a separate report will depend on "the outcome of the joint review and the report of the Commission". The Working Party is a committee made up of representatives from data protection authorities based across the EU.

The Privacy Shield facilitates the transfer of personal data between the EU and US businesses signed-up to the scheme.

Last year, the European Commission deemed that data transfers handled in accordance with the Privacy Shield principles will adhere to EU data protection law requirements. The Commission negotiated amendments with US counterparts to an earlier draft of the framework following criticisms raised by the Working Party. However, the framework has continued to draw criticism from privacy campaigners and is the subject of two separate legal challenges.

A motion put forward by MEPs earlier this year cited concerns with the Privacy Shield, including how the scheme addresses US bulk surveillance powers and accounts for judicial redress for EU citizens in the US. It also highlighted concerns about limitations on the rights of data subjects and inconsistencies in wording compared with EU data protection law.

In April, the EU's justice commissioner Věra Jourová confirmed that the inaugural annual review into the operation of the EU-US Privacy Shield is to take place in September this year. Both EU and US officials will participate in the review.

In a new letter to Jourová, Isabelle Falque-Pierrotin, chair of the Article 29 Working Party, said the review should address both "commercial aspects" and issues pertaining to "law enforcement and national security".

In an accompanying statement published alongside the letter it sent, the Working Party (WP29) said: "As for the commercial part, the WP29 has questions concerning, among others, the existence of legal guarantees regarding automated decision making or the existence of any guidance made available by the DOC (US Department of Commerce) regarding the application of the Privacy Shield principles to organisations acting as agents/processors. Clarifications that will be sought also include the definition of human resources data."

"Regarding the law enforcement and national security part, the WP 29 has questions relating in particular to the latest developments of US law and jurisprudence in the field of privacy. The WP29 also seeks … precise evidence to show that bulk collection, when it exists, is 'as tailored as feasible', limited and proportionate," it said.

The Working Party also said further information is needed about the appointment of, and procedures governing the operation of, an ombudsperson tasked with handling complaints relating to the accessing of EU citizens' personal data by US intelligence agencies. Other information on members of another oversight body, the US Privacy and Civil Liberties Oversight Board, should also be provided as part of the review, it said.

Falque-Pierrotin said: "The WP29 understands that the joint review will be followed by a report of the Commission to the Council [of Minsters] and the European Parliament. In this regard, the WP29 also understands that it will be given the possibility to provide comments on the Commission’s report before the report is made public."

"Subject to the outcome of the joint review and the report of the Commission, the WP29 may also present a separate public report following the Joint review and an updated assessment of the Privacy Shield in a separate statement based on the findings presented to the plenary by the review team of the Working Party," she said.